Rust Crates.io Hack: ‘evm-units’ Package Infected 7K Web3 Developer Workstations
A new case of software supply-chain compromise has been uncovered on the crates.io platform: a malicious Rust package was silently infecting the workstations of Web3 developers, disguising itself as an auxiliary tool for the Ethereum Virtual Machine and adapting its behavior to three major desktop operating systems.
The package, titled “evm-units,” appeared in the repository in mid-April 2025, uploaded by a user named “ablerust.” Over eight months it amassed more than 7,000 downloads. The same author published an additional package, “uniswap-utils,” which listed “evm-units” as a dependency — adding another 7,400+ downloads. Both projects have since been removed from the platform, yet the malicious code had already spread widely throughout the ecosystem.
According to the firm Socket, the harmful functionality was concealed inside what appeared to be a harmless function, “get_evm_version().” Instead of merely returning an Ethereum version string, it identified the victim’s operating system, checked whether the process “qhsafetray.exe” was running, and queried an external resource — download.videotalks[.]xyz — for the next stage of the attack.
Depending on the platform, a separate payload was downloaded and executed in the background: on Linux, a script was stored in /tmp/init and launched via nohup; on macOS, a file named init was executed using osascript and nohup; on Windows, a PowerShell script, init.ps1, was written to the temporary directory and run covertly.
Particular attention in the malware’s design was paid to 360 Total Security, a product of the Chinese company Qihoo 360. The presence of the process “qhsafetray.exe” changed the execution path: if absent, a Visual Basic Script wrapper was created to launch PowerShell invisibly; if detected, execution shifted to a more direct PowerShell invocation.
Socket researcher Olivia Brown links this logic to a deliberate targeting of users in China and the broader Asian region, where the retail cryptocurrency market remains one of the world’s largest.
References to EVM and the Uniswap protocol allowed the attacker to seamlessly embed the malicious code into the Web3 development ecosystem, passing it off as a set of useful utilities for working with Ethereum. The dependency chain compounded the risk: embedding “evm-units” inside the popular “uniswap-utils” meant the malicious loader ran automatically whenever projects using that library were initialized.
The incident illustrates just how perilous attacks through open code repositories have become — and how vital it is for blockchain developers to scrutinize both the composition and the provenance of every module they integrate.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
